Systems and Methods for Providing Targeted Data Loss Prevention on Unmanaged Computing Devices

1. A computer-implemented method for providing targeted data loss prevention on unmanaged computing devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: identifying a data loss prevention policy that defines permissible data handling within set bounds to prevent unauthorized data exfiltration from the set bounds; identifying an application to install on at least one unmanaged endpoint device, where: the unmanaged endpoint device lacks a data loss prevention agent configured to apply the data loss prevention policy to the entire unmanaged endpoint device; the application is to be provided to the unmanaged endpoint device to operate on sensitive data from within the set bounds; wrapping the application in an application wrapper that intercepts system calls from the application and applies the data loss prevention policy to sensitive data implicated in the system calls, where the application wrapper thereby applies the data loss prevention policy to data handled by the application instead of applying the data loss prevention policy to the entire unmanaged endpoint device.

2. The computer-implemented method of claim 1 , wherein the application wrapper intercepts system calls from the application by redirecting the application from at least one default dynamic linked library that implements the system calls with at least one alternative dynamic linked library that applies the data loss prevention policy to the system calls.

3. The computer-implemented method of claim 1 , wherein the application wrapper intercepts system calls from the application by injecting a dynamic linked library into a process of the application that hooks at least one application programming interface function within the process.

4. The computer-implemented method of claim 1 , wherein the data loss prevention policy protects data that is owned by a first entity and the unmanaged endpoint device is owned by a separate entity.

5. The computer-implemented method of claim 1 , further comprising installing the wrapped application on the unmanaged endpoint device.

6. The computer-implemented method of claim 5 , wherein installing the wrapped application on the unmanaged endpoint device comprises installing the wrapped application on the unmanaged endpoint device in response to detecting that the unmanaged endpoint device has connected to a network that falls within the set bounds.

7. The computer-implemented method of claim 5 , wherein: the unmanaged endpoint device comprises an unwrapped instance of the application; the unwrapped instance of the application is for personal use by an owner of the unmanaged endpoint device and is not subject to the data loss prevention policy; an organization designates the wrapped instance of the application as for use by the owner of the unmanaged endpoint device to handle data that is owned by the organization and that is subject to the data loss prevention policy.

8. The computer-implemented method of claim 1 , wherein the set bounds includes data handled by the wrapped application on the unmanaged endpoint device and excludes data handled by at least one unwrapped application on the unmanaged endpoint device.

9. The computer-implemented method of claim 1 , further comprising streaming the wrapped application to the unmanaged endpoint device.

10. The computer-implemented method of claim 1 , wherein applying the data loss prevention policy to the sensitive data implicated in the system calls comprises: encrypting the sensitive data before writing the sensitive data to a storage device accessible by the unmanaged endpoint device to prevent access to the sensitive data outside the unwrapped application; decrypting the sensitive data before reading the sensitive data from the storage device.

11. The computer-implemented method of claim 1 , wherein applying the data loss prevention policy to the sensitive data implicated in the system calls comprises at least one of: applying the data loss prevention policy to determine whether to transmit the sensitive data from the unmanaged computing device across a network; applying the data loss prevention policy to determine whether to copy the sensitive data to a clipboard service on the unmanaged computing device; applying the data loss prevention policy to determine whether to print the sensitive data via a printer accessible to the unmanaged computing device.

12. The computer-implemented method of claim 1 , wherein: the data loss prevention policy allows a mode of handling the sensitive data when the unmanaged computing device is connected to a network that is controlled by an entity that controls the data loss prevention policy; the data loss prevention policy does not allow the mode of handling the sensitive data when the unmanaged computing device is not connected to the network.

13. A system for providing targeted data loss prevention on unmanaged computing devices, the system comprising: a policy identification module, stored in memory, that identifies a data loss prevention policy that defines permissible data handling within set bounds to prevent unauthorized data exfiltration from the set bounds; an application identification module, stored in memory, that identifies an application to install on at least one unmanaged endpoint device, where: the unmanaged endpoint device lacks a data loss prevention agent configured to apply the data loss prevention policy to the entire unmanaged endpoint device; the application is to be provided to the unmanaged endpoint device to operate on sensitive data from within the set bounds; a wrapping module, stored in memory, that wraps the application in an application wrapper that intercepts system calls from the application and applies the data loss prevention policy to sensitive data implicated in the system calls, where the application wrapper thereby applies the data loss prevention policy to data handled by the application instead of applying the data loss prevention policy to the entire unmanaged endpoint device; at least one physical processor configured to execute the policy identification module, the application identification module, and the wrapping module.

14. The system of claim 13 , wherein the application wrapper intercepts system calls from the application by redirecting the application from at least one default dynamic linked library that implements the system calls with at least one alternative dynamic linked library that applies the data loss prevention policy to the system calls.

15. The system of claim 13 , wherein the application wrapper intercepts system calls from the application by injecting a dynamic linked library into a process of the application that hooks at least one application programming interface function within the process.

16. The system of claim 13 , wherein the data loss prevention policy protects data that is owned by a first entity and the unmanaged endpoint device is owned by a separate entity.

17. The system of claim 13 , wherein the wrapping module further installs the wrapped application on the unmanaged endpoint device.

18. The system of claim 17 , wherein the wrapping module further installs the wrapped application on the unmanaged endpoint device by installing the wrapped application on the unmanaged endpoint device in response to detecting that the unmanaged endpoint device has connected to a network that falls within the set bounds.

19. The system of claim 17 , wherein: the unmanaged endpoint device comprises an unwrapped instance of the application; the unwrapped instance of the application is for personal use by an owner of the unmanaged endpoint device and is not subject to the data loss prevention policy; an organization designates the wrapped instance of the application as for use by the owner of the unmanaged endpoint device to handle data that is owned by the organization and that is subject to the data loss prevention policy.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to: identify a data loss prevention policy that defines permissible data handling within set bounds to prevent unauthorized data exfiltration from the set bounds; identify an application to install on at least one unmanaged endpoint device, where: the unmanaged endpoint device lacks a data loss prevention agent configured to apply the data loss prevention policy to the entire unmanaged endpoint device; the application is to be provided to the unmanaged endpoint device to operate on sensitive data from within the set bounds; wrap the application in an application wrapper that intercepts system calls from the application and applies the data loss prevention policy to sensitive data implicated in the system calls, where the application wrapper thereby applies the data loss prevention policy to data handled by the application instead of applying the data loss prevention policy to the entire unmanaged endpoint device.